wid-sec-w-2026-0773 · Published 2026-03-17 · View on BSI CERT-Bund ↗

MongoDB: Multiple Vulnerabilities

CVSS 8.7 HIGH

Risk Summary

An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command. A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.

CVEs (3)

CVE-2026-4147 CVE-2026-4148 CVE-2026-4358

Affected Vendors

Open Source

Affected Products (8)

Open Source · MongoDB <8.3.0-rc0

Open Source · MongoDB 8.3.0-rc0

Open Source · MongoDB <8.0.20

Open Source · MongoDB 8.0.20

Open Source · MongoDB <7.0.31

Open Source · MongoDB 7.0.31

Open Source · MongoDB <8.2.6

Open Source · MongoDB 8.2.6

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more